Technology Rising: Problems in Applying the International Laws of War to Cyber Attacks
Vol. 38 Associate Editor
As technology continues to become more sophisticated, the problems in the laws governing cyber attacks and cyber security correspondingly grow. In setting the law and policy governing cyber attacks, the problem has often been thought of as “fighting a cyber-war,” in which such cyber attacks are analogized to war or attacks of war. The application of the international laws of war, however, has serious flaws in its application to cyber security. The uncertainty regarding when a cyber attack constitutes an “armed attack” and the difficulties in attributing such attacks to state actors create loopholes within which hackers can strike. The first problem encountered when applying the international law of wars to cyber attacks is whether the cyber attack actually triggers the use of self-defense. Both Article 51 of the UN Charter and the customary international law of self-defense “seem to agree that what triggers the right to self-defense is an armed attack.” An armed attack is considered “a use of force,” which is characterized by “its gravity and  effects rather than by the instrument used.” Thus, it is generally agreed that “substantial human and/or material destruction” is considered an armed attack. In applying these principles to cyber attacks, however, a problem emerges over whether a cyber attack that does not directly cause such human or material destruction can be considered an armed attack. This can make it more difficult to conclude that a cyber attack has in fact occurred and thus may provide an opportunity for hackers to execute cyber attacks without corresponding liability. The unspecified amount of damage or destruction needed to constitute an armed attack provides another opportunity for hackers to exploit and escape liability. An additional loophole can be created when a country executes a series of ‘low intensity’ cyber attacks which individually do not rise to the level of an ‘armed attack’ but when looked at cumulatively could have substantial destructive power. If a country can establish that a cyber attack constitutes an armed attack, the country must still meet certain standards before it can resort to the lawful use of force. The International Court of Justice has stated that such an “armed attack” must be “significant” and “attributable to the state where the self-defense is being carried out.” Attribution of the country responsible for the attack can be complicated “[g]iven the anonymity of the technology involved.” Hackers may infiltrate the computer systems of thousands of people in multiple jurisdictions, which may convolute the trail leading back to the original perpetrator. As the sophistication of hacking technology also improves, the sophistication of hacker’s ability to cover their tracks correspondingly increases. The difficulty of attributing a cyber attack to a specific country is further complicated when the hacker is a non-state actor. While there is general agreement that “if a state’s agent attacks another state, then the hostile conduct is attributable to the state,” there is uncertainty as to whether, or under what circumstances, a cyber attack can be attributed to a non-state actor. Under one formulation, when a non-state actor acts under the direction or control of a state, such actions are attributable to the state; however, a more complicated question arises in regards to individual hackers acting without the state’s approval. The lack of consensus regarding whether the unapproved actions of a non-state actor may be attributed to a state provides an opportunity for hackers, and even states, to exploit. Individual hackers may be able to launch cyber attacks while escaping both individual liability and liability for the jurisdiction in which the attack originated due to such uncertainty of whether such acts are attributable to the state. Under one proposed solution, in such cases, “international law [would] require states to take reasonable preventive measures” against cyber attacks. The downfall with such a proposition is the unclear threshold of what constitutes such “reasonable preventive measures”; the extent of a state’s duty has not yet been clearly defined. While such uncertainty exists, a non-state hacker may be able to perpetrate cyber attacks while located in a certain state and the state may avoid responsibility for such attacks by arguing there were no clear actions it was required to take. Given the loopholes in the international law of wars when applied to cyber attacks, additional rules and regulations will need to be developed. Creating a clear standard for when a non-state individual’s actions may be attributable to the state it is operating within would help to close some of these gaps. More succinctly defining the duty of a state to take measures to prevent cyber attacks is also essential. As the sophistication of technology continues to increase, remaining vigilant in policing and adapting to changes in this sphere is vital to national security.
 Mary Ellen O’Connell, University of Notre Dame Law School, Speech at Cyber Security and International Law Meeting: Cyber Mania 3 (May 29, 2012).  Id.  Nicholas Tsagourias, Cyber Attacks, Self-Defense and the Problem of Attribution, 17 J. of Conflict and Security L. 229, 230 (2012).  Id. at 231 (citation omitted).  Id. (citation omitted).  See id. at 231-32.  See Gary D. Solis, Cyber Warfare, 219 Mil. L. Rev. 1, 14-15 (2014) (“While the required degree of injury or damage remains unresolved, a cyber intrusion (a cyber operation short of an attack) into another state’s cyber systems would not constitute a use of force. . . .”).  See id. at 13-14.  See Tsagourias, supra note 3, at 232-33.  O’Connell, supra note 1, at 6.  David E. Graham, Cyber Threats and the Law of War, 4:87 J. Nat’l Security L. & Policy 87, 92 (2010).  See Tsagourias, supra note 3, at 233.  Id. at 235.  Michael Gervais, Cyber Attacks and Law of War, 30 Berkeley J. Int’l L. 525, 545 (2012).  Id. at 546.  See id. at 547.  For example, David E. Graham posits that “[t]he smoke screen of a state attributing cyber attacks exclusively to private individuals within a state may…serve as  convenient cover for states that might be either directing or knowingly tolerating such attacks.” Graham, supra note 10, at 93.  Gervais, supra note 13, at 548.  Id.